Wednesday, April 16, 2014
Nearly 1,700 credit and debit card numbers stolen from shoppers at the five Target stores in Maine are for sale on at least one black market website, as thieves cash in on one of the largest data thefts in history.
Target shoppers are the victims of one of the largest data thefts in history, with up to 40 million accounts stolen.
2013 Press Herald File
The numbers stolen from Maine shoppers were among 1.5 million consumer accounts, all stolen from Target over a two-week period, that were available for prices ranging from about $20 to $100 each. The website, which allows buyers to search for account data according to such variables as issuing bank and the specific store from which the accounts were stolen, promised there would be more batches of card numbers for sale in coming days.
State officials previously could not confirm whether any Maine shoppers were affected by the massive Target data theft. They were shocked Friday when the Portland Press Herald showed them a black market site selling the card numbers.
“That’s really unbelievable – an eBay-type shopping site for credit cards,” said William Lund, superintendent of the Maine Bureau of Consumer Credit Protection.
So far, the black market site has listed for sale only a fraction of the estimated 40 million card numbers stolen from Target’s U.S. stores between Nov. 27 and Dec. 15.
As of Friday, the website listed about 500 cards stolen from the Target store in South Portland, 450 from the Bangor store, 300 from the Topsham location, and more than 200 each from the Augusta and Biddeford stores.
Given that the credit and debit card numbers are actively being sold online, local cybersecurity experts urged Mainers who shopped at Target during the security breach to cancel the cards they used immediately.
“There are consumer protection laws against unauthorized charges, but it’s easier just to call and cancel the cards and get new ones,” said Joshua Silver, a shareholder in the Portland law firm Bernstein Shur and a cybersecurity specialist.
The black market website is being operated by a Russian hacker who goes by the name Rescator, and who is active on the digital underground forum Lampeduza, a gathering place for hackers and other cybercriminals, security analysts and bloggers said.
The Press Herald declined to publish the online address of the website because it is a criminal enterprise, and the danger to those who visit the site is unknown.
Card data have been added to the site in batches of about 120,000 to 500,000 at a time over the past 10 days. Any visitor to the site can register and browse the database.
Each listing shows the first six digits of the card number, also called the “bin number,” which identifies the issuing bank. Also listed is the name of the bank, expiration date, whether it is a consumer, business, gold or platinum card, and the location from which the numbers were stolen. Location is important to thieves, since banks often flag a transaction as potentially fraudulent if it is made far away from where the card is customarily used.
The listing also indicates whether the data include detailed “Track 1” information, such as the cardholder’s name and a security code embedded in the card’s magnetic strip. The perpetrators of the Target heist did not obtain the three-digit security code imprinted on the back of most credit and debit cards, according to Target.
Finally, the website lists the asking price for each card’s data, which in most cases is between $20 and $50. The online purchaser can buy multiple items at a time via a shopping-cart system similar to that of Amazon.com and other e-commerce websites.
In order to make a purchase, the buyer must first send money to Rescator and his accomplices, either via a virtual currency such as Bitcoin or a wire transfer to Western Union in Lviv, Ukraine.
(Continued on page 2)